NGSSoftware researchers have posted a public advisory to alert users of the free Acrobat Reader 5.1 about a vulnerability in the XML forms data format (.XFDF). The British security consultants warned that a malicious attacker could ’cause a buffer overflow by tricking a user into viewing a specially crafted XFDF document.’ According to the report, Adobe Systems has confirmed that the current version — Adobe Reader 6.01 — ‘is no longer vulnerable,’ and users are strongly advised to upgrade.
From the advisory:
Adobe Acrobat Reader is a viewer that renders PDF documents. The Reader can be extended using the XML Forms Data Format or XFDF. XFDF is a format for representing forms data and annotations in a PDF document. XFDF files have a .xfdf extention and are rendered automatically on downloaded when using applications such as Internet Explorer. Also note that, regardless of the file extention if the MIME type is set to ‘application/vnd.adobe.xfdf’ the file will be treated as a XFDF. When parsing an XFDF document the Adobe Reader suffers from a classic stack based buffer overflow vulnerability.
Planet PDF is also an official mirror site for downloading the free Adobe Reader.